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A group of criminals earned nearly $250,000 by installing a cryptocurrency miner on vulnerable 
Oracle WebLogic and People Soft servers. 

Morphus Labs chief research officer Renato Marinho reported this week on an uptick in attacks on 
enterprise servers that exploit a critical WebLogic flaw that Oracle patched in October. But thanks to 
an exploit published by a Chinese researcher in December, hundreds of un-patched WebLogic and 
PeopleSoft servers across the globe have been co-opted as mining bots, boosting the attacker's 
capacity to mine the Bitcoin alternative Monero. 
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Surprisingly, the WebLogic vulnerability allows the attackers to steal data from affected PeopleSoft 
systems, or even install ransomware, yet the group so far has only use the vulnerability to install a 
Monero miner. And it’s paying off. 
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One of the operations using the WebLogic exploit has so far mined 611 Monero that are worth about 
$226,070 currently. The WebLogic exploit helped boost the number of mining bots to work for the 
attackers, however it’s likely many of these Monero were mined prior to December. Another group 
using the same exploit was mining AEON but had only earned abut $6,000. 
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Marinho figures the compromised machines were detected because the script that downloads the 
Monero miner “accidentally” kills the WebLogic service after compromise. WebLogic is a Java EE 
application server and the script replaces its java binary with the Monero miner xmrig — a legitimate 
miner that the attackers are illegitimately using on others’ hardware. 
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On January 2 an admin posted a report on Oracle’s support forum documenting the same Monero 
attack after discovering errors that shutdown a WebLogic Service and an Oracle Access 
Management Server. 

Marinho has found hundreds of attacked WebLogic and PeopleSoft servers around the world, which 
are mostly hosted on cloud services, such as AWS, Digital Ocean, Google, Microsoft, Oracle Cloud 
and OVH. 

In a follow up analysis Johannes Ullrich, dean of research at the SANS Institute, said the attacks rely 
on an exploit developed and published by Chinese security researcher Lian Zhang in late December. 
The vulnerability it targets, CVE-2017-10271, has a CVSS score of 9.8 and is easily exploitable. 

“Once the exploit was published, anybody with limited scripting skills was able to participate in taking 
down WebLogic (/PeopleSoft) servers,” wrote Ullrich. 
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Both Ullrich and Marinho were surprised the attackers didn’t use the exploit to cause more damage, 
especially given the data hosted on PeopleSoft servers. 
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“PeopleSoft itself is a complex enterprise process management system. The name implies human 
resource functions, but the software goes way beyond simple HR features. Typically, “everything” in 
an organization lives in PeopleSoft,” said Ullrich. 
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“An attacker would probably have been able to do a lot more damage to an organization by 
exfiltrating the data that lives on the system, or worse, modify it.” 
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